High Availability Design

Author : MD TAREQ HASSAN | Updated : 2021/12/27

What does high availability mean?

The ability of a system to operate continuously without failing for a designated period of time
High availability ensures an agreed level of operational performance, usually uptime
Higly available systems are dependable enough to operate continuously without fail

How to achieve high availability?

High availability is achieved with redundency
Resource is deployed into multiple availability zones which gives high availability

Virtual network gateway

Redundnecy of Virtual Network Gateway (VPN or ExpressRoute) depends on public IP resource of Standard SKU
- If public ip is zone redundant i.e. ‘-Zone 1,2,3’, then Gateway will also be deployed to all 3 zones
- If public ip is zonal means deployed to a specific zone, then Gateway will also be zonal
Zone-redundant gateways
- For a VPN gateway, the two gateway instances will be deployed in any 2 out of these three zones to provide zone-redundancy.
- For an ExpressRoute gateway, since there can be more than two instances, the gateway can span across all the three zones.
“AZ” in the gateway SKU name:
- VPN and ExpressRoute gateways can be deployed in Azure Availability Zones
- zone-redundant gateway: deploy to all availability zones
- zonal gateway: deploy to specific zone only
To create zone-redundant (highly avaialable) gateway:
- Create Public IP Adrress with “zone-redundant” (-Zone 1,2,3)
- Create gateway with “AZ” in the SKU name
  - ExpressRoute Gateway
    - ERGw1Az
    - ERGw2Az
    - ERGw3Az
    - https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gatewayfeaturesupport
  - VPN Gateway
    - VpnGw2AZ
    - VpnGw3AZ
    - VpnGw4AZ
    - VpnGw5AZ
    - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#benchmark
https://docs.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways#pipskus
https://docs.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways#pipzrg

Firewall

Create zone-redundant public IP
Create zone-redundant Firewall
- Azure portal
  - https://portal.azure.com/#create/microsoft.AzureFirewall
  - Instance details: Availability zone > select all zones
- PowerShell: see below
Note: Availability Zones for Firewall can only be configured during deployment. You can’t configure an existing firewall to include Availability Zones.

Using PowerShell

# No specific zone is specified. This creates a zone-redundant IP address by default
$pip1 = New-AzPublicIpAddress `
  -Name "AzFwPublicIp1" `
  -ResourceGroupName "rg" `
  -Sku "Standard" `
  -Location "centralus" `
  -AllocationMethod Static

New-AzFirewall `
  -Name "azFw" `
  -ResourceGroupName $rgName `
  -Location centralus `
  -VirtualNetwork $vnet `
  -PublicIpAddress @($pip1) `
  -Zone 1,2,3

Application gateway

Create zone-redundant public IP
Create zone-redundant application gateway
- In portal, zones can be selected
- In PowerShell, there is -Zone flag

Portal

Azure Application Gateway - zone selection during provisioning

PowerShell (https://docs.microsoft.com/en-us/powershell/module/az.network/new-azapplicationgateway)

New-AzApplicationGateway `

# ... ... ...

-Zone 1,2,3